Critical Security Alert: Unauthenticated RCE in React CVE-2025-55182 & Next.js CVE-2025-66478

Two new critical vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), were publicly disclosed today, impacting React and Next.js applications. These issues allow unauthenticated remote code execution under default framework configurations, requiring no special setup or developer mistakes. Testing confirms that even newly generated Next.js applications created with create-next-app and built for production are immediately vulnerable without any code modifications.

Executive Summary

• CVE IDs:
  • CVE-2025-55182 (React Server Components)
  • CVE-2025-66478 (Next.js)
• Severity: CVSS 10.0 (Critical).
• The Risk: Unauthenticated remote code execution (RCE).
• Hosting Note: Projects hosted on Vercel are covered by platform-level protections that block the malicious request patterns. However, you must still upgrade to ensure your codebase is secure regardless of the hosting environment.

Technical Details

The vulnerability lies in the react-server packages’ handling of HTTP requests sent to Server Function endpoints. The vulnerable code unsafely deserializes payloads from these requests. An attacker can craft a malicious HTTP payload that, when processed by the server, triggers the execution of arbitrary code. This occurs pre-authentication.

Scope of Impact

• Default Vulnerability: Testing confirms that even a newly generated Next.js application (create-next-app) built for production is immediately vulnerable without any code modifications.
• Broad Reach: Even if your application does not explicitly implement React Server Functions, it is likely vulnerable if your infrastructure or framework supports React Server Components (RSC).

Affected Software

1. Core React Packages

The following packages are vulnerable in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

2. Next.js Framework

You are affected if you use:

• Next.js 15 or 16 (App Router).
• Next.js 14 Canary: Versions ≥14.3.0-canary.77.

3. Other Frameworks

Any framework bundling the vulnerable React RSC implementation is affected, including:

• React Router
• Waku
• RedwoodJS (rwsdk)
• Parcel (@parcel/rsc)
• Vite RSC Plugin (@vitejs/plugin-rsc)

Resolution & Fixed Versions

Fixed Next.js Versions

If you are using Next.js, upgrade to one of the following patch releases:

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

Downgrade Notice for Next.js 14 Users: If you are currently on a vulnerable Canary version of Next.js 14 (≥14.3.0-canary.77), the recommended fix is to downgrade to the latest stable Next.js 14.x release.

Fixed React Versions

If you are managing React dependencies directly or using another framework, ensure react-server-dom-* packages resolve to:

• 19.0.1
• 19.1.2
• 19.2.1

How to Patch

Run the following in your terminal:

Bash

# For Next.js Users (npm)
npm install next@latest react@latest react-dom@latest

# For Next.js Users (yarn)
yarn upgrade next react react-dom

After updating, verify your package-lock.json or yarn.lock to ensure the nested react-server-dom dependencies match the fixed versions listed above.

How Upwind Protects You

While patching is the first step, ensuring your runtime environment remains secure during the upgrade window is critical. Upwind protects your applications from the active exploitation of vulnerabilities through:

• Comprehensive Dependency Intelligence: Automatically maps every package and version used across your environment (including nested dependencies like react-server-dom-webpack), highlighting vulnerable artifacts and ensuring your upgrade path is free from supply chain tampering.
• Real-Time Runtime Monitoring: Uses sensor technology to detect the Remote Code Execution (RCE) payloads associated with this vulnerability, such as unexpected shell commands, unauthorized process spawning, and outbound connections initiated by the server process.
• Behavior-Based Detection: Analyzes developer and workload activity to surface the patterns relied on by RCE exploits including abnormal deserialization behavior, rapid file system changes, and unusual automation identities attempting to execute code.
• Context-Driven Risk Prioritization: Correlates the vulnerable React packages with the specific workloads, developers, and secrets they impact. Upwind provides clear, actionable guidance so security teams can instantly isolate affected systems and verify that patches have been successfully applied.
• API Detections: Upwind has already implemented dedicated API-level runtime detections to identify malicious requests attempting to exploit these vulnerabilities.

For support in identifying vulnerable React components or detecting active exploitation, reach out to [email protected].